Invalid Azure Key Vault key path specified

Question

Invalid Azure Key Vault key path specified

Velayutham P 1

Failed to decrypt a column encryption key using key store provider: 'AZURE_KEY_VAULT'. Verify the properties of the column encryption key and its column master key in your database. The last 10 bytes of the encrypted column encryption key are: 'XX-XX-XX-XX-F8-10-F6-00-EA-9D'.
Invalid Azure Key Vault key path specified: 'https://xxxxxxxxxxxxxxxxxxx.vault.azure.net/keys/cutomekey/xxxxxxxxxxxxxxxxxx'. Valid trusted endpoints: https://xxxxxxxxxxxxxxxxx.vault.azure.net/. (Parameter 'masterKeyPath') Invalid Azure Key Vault key path specified: ''https://xxxxxxxxxxxxxxxxxxx.vault.azure.net/keys/cutomekey/xxxxxxxxxxxxxxxxxx'.'. Valid trusted endpoints: https://xxxxxxxxxxxxx.vault.azure.net/. (Parameter 'masterKeyPath')

I am getting above error when decrypt the column through code (.net core 3.2).

The decryption working when decrypt through SSMS(Microsoft Management Studio).

The Key stored in keyvault is custom managed key.

And enable managed identity between keyvault and appservice.

but i dont know why this is not working. its worked few months back!

1 answer

Your answer

Answer 1

SSingh-MSFT 16,371 Moderator

Hi @Velayutham P ,

Welcome to Microsoft Q&A platform and thanks for using Azure Services.

As I understand from the Error, Invalid Azure Key Vault key path specified.

It could be related with the Azure key vault firewall. The member who wants to 'decrypt' the data should whitelisted their IP address in Azure key vault.

Try to check permissions too. In order to completely verify that you have the correct permissions, go to Key Vault Blade:

Select Access Policies from the Key Vault resource blade menu on the left
Click the "add new" link/button at the top
Select Principal to select the application that you are using (i.e. the app registration from which you got the client ID from)
From the Key permissions drop down, make sure you give it "Decrypt", "Sign", "Get", "UnwrapKey" permissions
Make sure to save changes

Lastly - you have to make sure your app registration has the correct permissions for your subscription.

Hope this will help. Please let us know if any further queries.

------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you.
Original posters help the community find answers faster by identifying the correct answer. Here is how
Want a reminder to come back and check responses? Here is how to subscribe to a notification

Velayutham P 1 Reputation point

2022-11-17T16:29:42.373+00:00
Thanks, ShaktiSingh-MSFT.

----------

we are enable the Managed Identity for communicate with key vault.

both keyvault and appservice in a same VNET. and give all the permissions in AccessPolicies.
SSingh-MSFT 16,371 Reputation points Moderator

2022-11-18T05:01:40.373+00:00

Hi @Velayutham P ,

Make sure your app registration has the correct permissions for your subscription.

Did you use the same .net version as before?
Velayutham P 1 Reputation point

2022-11-18T05:37:43.463+00:00

Thanks @SSingh-MSFT ,

Make sure your app registration has the correct permissions for your subscription. - Verified!

Did you use the same .net version as before? before we are used .net core 3, now .net 6.

But we are faced the same issue in .net core 3 also!.
SSingh-MSFT 16,371 Reputation points Moderator

2022-11-18T11:39:42.17+00:00

Hi @Velayutham P ,

This is strange and not expected. I would recommend you to please file a support ticket for deeper investigation and in case if you don't have a support plan, do let us know here so that we can check on other options to unblock you. Thanks

Share via

Invalid Azure Key Vault key path specified

1 answer

Your answer